* Add metrics for stat change detection
* Fix test related issues due to partially constructed messages
* lint
* Convert errno to enum class StatResult
* Cleanup from PR feedback
Bumping from BACKGROUND to DEFAULT had the desired impact of processing events faster and reducing memory usage but had a larger-than-expected increase in CPU usage. UTILITY is in the middle of these two and better fits the desired priority.
The use of the background queue is a historical artifact from when Santa had its own kernel extension with separate in-kernel queues for processing AUTH & NOTIFY type events. With the move to ES and the larger number of event types that we now notify on, running at the background QoS carries a small risk that the thread processing these events is not given a chance to run often enough that the queue grows and increases memory usage.
* Update SNTPolicyProcessor to use a map instead of a giant switch statement
Update SNTPolicyProcessor to use a map instead of a giant switch statement.
Add unit tests for the method that sets SNTCachedDecision values.
* Remove unneccessary OCMock dep in BUILD file.
* Fix typo in method signature.
* Incorporate review feedback.
* Upper case UpdateCachedDecisionSigningInfo
* Update SNTPolicyProcessor.h
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Update SNTPolicyProcessor.mm
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
* Fix typo
* Fix linter issues.
* Fixed up more linter issues.
---------
Co-authored-by: Russell Hancox <russellhancox@users.noreply.github.com>
This includes updating to rules_apple 3.5.1 and protobuf 26.1, as well as updating several tests to no longer use the data attribute to pass in testdata.
* Emit a log warning when overrides were applied
* Overrides now disabled in tests unless explicitly enabled
* Remove log message. Check for xctest instead of bazel env vars.
* Typo
* Change the behavior of addedRulesShouldFlushDecisionCache to flush when 1000 non-allowlist rules are added or a remove rule is encountered or any new non-allowlist rules are added
* Add tests for cache flushing behavior.
* process annotations: thread the tree through santa
* Update enricher to read annotations from the ProcessTree
* rebase changes
* add configuration for annotations, disabling the tree entirely if none are enabled
* lingering build dep
* use tree factory constructor
* fix configurator
* build fixes
* rebase fixes
* fix tests
* review comments
* lint
* english hard
* record metrics even when event only used for process tree
* ProcessTree: add macos-specific loader and event adapter
* lingering darwin->macos
* lint
* remove defunct client id
* struct rename
* and one last header update
* use EndpointSecurityAPI in adapter
* expose esapi in message
* Responses to events about to exceed deadline should respect FailClosed
* Only respect FailClosed when in Lockdown mode. Update docs.
* FailClosed in Configurator now wraps checking client mode
* PR feedback
* Fix execution controller tests with new FailClosed logic
* ProcessTree: add core process tree logic
* make Step implicitly called by Handle* methods
* lint
* naming convention
* widen pidversion to be generic
* move os specific backfill to os specific impl
* simplify ts checking
* retain/release a whole vec of pids
* document processtoken
* lint
* namespace
* add process tree to project-wide unit test target
* case change annotations
* case change annotations
* remove stray comment
* default initialize seen_timestamps
* fix missing initialization of refcnt and tombstoned
* reshuffle pb namespace
* pr review
* move annotation registration to tree construction
* use factory function for tree construction
* WIP Clean syncs now leave non-transitive rules by default
* WIP Get existing tests compiling and passing
* Remove clean all sync server key. Basic tests.
* Add SNTConfiguratorTest, test deprecated key migration
* Revert changes to santactl status output
* Add new preflight response sync type key, lots of tests
* Rework configurator flow a bit so calls cannot be made out of order
* Comment clean sync states. Test all permutations.
* Update docs for new sync keys
* Doc updates as requested in PR
* Make santactl status always print out transitive rule status even when not using a sync service.
* Fix typo in SNTCommandRule.m.
* Updated JSON values to put transitive_rules in the daemon section.
* Add missing config keys
* Use more consistent wording
* More consistent whitespace
* Reorder constants to appropriate section groups
* Update docs/deployment/configuration.md
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
---------
Co-authored-by: Pete Markowsky <pmarkowsky@users.noreply.github.com>
